Poly Network Exploit
Cross-chain manager contract bug allowed an attacker to swap the keeper public key and withdraw $611M from three chains — eventually returned in full.
- Date
- Victim
- Poly Network
- Status
- Recovered
On August 10, 2021, an attacker drained roughly $611M in tokens from the Poly Network cross-chain protocol across Ethereum, BNB Chain and Polygon. Within two weeks the attacker returned every cent and was offered a $500K bounty and a job.
What happened
Poly Network used a pair of cross-chain contracts — EthCrossChainManager and EthCrossChainData — to relay messages between supported chains. The relayer contract had a public function (verifyHeaderAndExecuteTx) that could call arbitrary data on the data contract, including the data contract's putCurEpochConPubKeyBytes function that set the keeper public key.
By crafting a cross-chain proof that resolved to that internal function, the attacker rotated the keeper public key to one they controlled. From that point on, every cross-chain withdrawal could be signed by them.
Aftermath
- The attacker initially claimed to have done it "for fun" and began returning funds within 24 hours, publicly negotiating with Poly Network via on-chain messages.
- All $611M was returned. Poly Network publicly offered the attacker a $500K bounty and the role of "Chief Security Advisor."
- The exploit became a textbook example of why cross-chain message executors should not be able to mutate trust-critical state.
Why it matters
The Poly Network bug was not in cryptography or in the keeper signing — it was in what the executor was authorised to call. Any cross-chain bridge that can call administrative functions on its own configuration must treat the executor as a privileged caller.
Sources & on-chain evidence
- [01]medium.comhttps://medium.com/@MrToph/the-initial-analysis-of-the-poly-network-hack-c4f8d3b69cb4
- [02]twitter.comhttps://twitter.com/PolyNetwork2/status/1425073987164381196
- 0xad7a2c70c958fcd3effbf374d0acf3774a9257577625ae4c838e24b0de17602a